To 'bridge' or not to 'bridge'

[ardirtbiker]

In lmce 1204 and 1404, bridging appears to have changed within the linux kernel.   In 1004 i had bridged eth1 (internal NIC) with wlan0 (AP) following  the instructions here:http://wiki.linuxmce.org/index.php/Access_Point
After changing 'eth1' in the firewall to 'br0' (the bridge interface), verything worked without a hitch.

In 1204 and 1404, when the bridge is set up the same, the MDs cannot access the nfs storage drives, but my wifi devices work fine. 

Is there a better route to take other than bridging?     Is there something else I need to do to the firewall?   

Some internet sources suggest installing ebtables and set up some rules there and add other rules to iptables.   I dont quite grasp firewalls  and am stuck.

Any suggestions will be greatly appreciated.

Dennis

[Alblasco1702]

Hello Dennis,

it isn't yet supported to bridge but to  help you further to test this.
I need some information from you.
- /etc/network/interfaces
- /etc/default/isc-dhcp-server
- iptables -vnL

[ardirtbiker]

Thanks Alblasco,

Here is my /etc/network/interfaces file:

Code Select Expand

# Activating interfaces
auto eth0 br0 lo

#####
# Loopback interface
#####
iface lo inet loopback

#####
# IPv4 network interfaces
#####

# --- External NIC ---
iface eth0 inet dhcp
pre-up sysctl -q -e -w  net.ipv6.conf.eth0.disable_ipv6=1
up /sbin/ifconfig eth0 up
down /sbin/ifconfig eth0 down

# --- Internal NIC ---
iface eth1 inet manual
pre-up sysctl -q -e -w net.ipv6.conf.eth1.disable_ipv6=1
up /sbin/ifconfig eth1 up
down /sbin/ifconfig eth1 down
#####

# --- Wireless NIC ---
iface wlan0 inet manual

# --- Bridge ---
iface br0 inet static
address 192.168.80.1
network 192.168.80.0
netmask 255.255.255.0
broadcast 192.168.80.255
gateway 192.168.1.254
pre-up /usr/sbin/hostapd -B /etc/hostapd/hostapd.conf
bridge_ports eth1 wlan0
dns-nameservers 192.168.1.254 8.8.8.8
dns-search LinuxMCE.local
down /sbin/ifconfig br0 down


Here is /etc/default/isc-dhcp-server:

Code Select Expand

INTERFACES="br0"

and here is the output of iptables -vnL

Code Select Expand


Chain INPUT (policy DROP 3 packets, 116 bytes)
pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp flags:0x3F/0x29
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp flags:0x3F/0x3F
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp flags:0x3F/0x00
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp flags:0x06/0x06
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp flags:0x03/0x03
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp flags:0x11/0x01
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp flags:0x3F/0x37
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            mark match 0x1
    2    92 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0            /* Allow_Loopback */
  492 57564 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED /* Allow_Established */
    0     0 ACCEPT     udp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            /* Allow_DHCP */
    6  1616 ACCEPT     udp  --  br0    *       0.0.0.0/0            0.0.0.0/0            /* Allow_DHCP */
    0     0 ACCEPT     udp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            /* Allow_DHCP */
    2   120 ACCEPT     tcp  --  br0    *       192.168.80.0/24      0.0.0.0/0            /* Allow_Local_Network */

Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  lo     lo      0.0.0.0/0            0.0.0.0/0            /* Allow_Loopback */
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED /* Allow_Established */
    4  2563 ACCEPT     tcp  --  br0    *       192.168.80.0/24      0.0.0.0/0            /* Allow_Local_Network */

Chain OUTPUT (policy ACCEPT 317 packets, 45260 bytes)
pkts bytes target     prot opt in     out     source               destination         
       




Let me know if you need anything else.

Dennis

[Alblasco1702]

Hello Dennis,

Iptables is setup as the lmce-firewall write the iptables rules on the background.
Bridging is so far the easyest way to do this, else you need to create forward rules and change a lot of configuration files,
i'm not shure of everything will get to work that way.

there seems to be a problem with the nfs config i'm not shure where this problem is.
I check here to be shure i'm  not having this issue.
Your configuration so far seems right.

[ardirtbiker]

thank you sir!   

I'll keep a lookout for a resolution to the nfs issue.



Dennis

[ardirtbiker]

Alblasco,

my recent reinstall of 12.04 seems to work fine with the bridge setup.

Just after install, I ran the sql command

Code Select Expand

UPDATE Device_DeviceData SET IK_DeviceData="eth0,dhcp|br0,192.168.80.1,255.255.255.0" WHERE FK_DeviceData=32;

after my bridge was set up, then did an iptables -F followed by '/usr/pluto/bin/Network_Firewall.sh'.

I may not have needed to do all of that, but it works!


Dennis

[Alblasco1702]

Hello Dennis,

Nice that it works now.
I'm bulding this to set it up from the GUI but a lot of work to do before it is that way.

cheers Alblasco1702.

[phenigma]

Alblasco we really need a working firewall before any options or features are added.  Thanks.  I'll be fixing firewall bugs starting this weekend if it is not working at that point.  thanks.

J.

[ardirtbiker]

I value your efforts.

I was not aware the firewall was not completely up to snuff.

Yes, it would be awesome to be able to set up the bridging in website admin, but I have my config files saved on a storage drive.


Another note on the firewall.... I havent been able to get my work laptop to VPN into my work domain.   Are the ports currently blocked?  I think there are several that are involved.

Thanks

Dennis